Sub-processors
Last updated: April 2026
AccessiProof uses the third-party service providers listed below to operate the platform, process payments, deliver email, and accelerate internal report production. Under GDPR Art. 28(2), we publish this list so our customers (acting as controllers of their end-users' data) can assess and object to changes in our sub-processing arrangements.
Sub-processors are bound by written contracts that require at least the same data-protection obligations as those set out in our Data Processing Addendum. Where sub-processors operate outside the EEA, transfers are protected by the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, supplementary technical measures such as encryption in transit and at rest.
Current sub-processors
| Provider | Purpose | Data processed | Location | Transfer basis |
|---|---|---|---|---|
| VercelVercel Inc. | Hosting of the AccessiProof web application; Vercel Analytics (cookie-less) and Speed Insights for aggregate performance telemetry. | Request metadata (URL, user-agent, country, anonymised device signals), end-user email addresses submitted through forms in transit, account identifiers for authenticated operator sessions. | United States (with EU edge regions) | EU Standard Contractual Clauses (Module 3, Processor-to-Processor) |
| NeonNeon Inc. | Serverless Postgres database for customer, scan, issue, and report records. | Customer account data (name, email, company), scan results, issue evidence (HTML snippets, selectors, screenshots metadata), report content, billing identifiers. | European Union (Frankfurt region) | Within the EEA — no Article 44 transfer |
| HetznerHetzner Online GmbH | Virtual private server hosting the Playwright + axe-core scanner worker. | Target URLs submitted for scanning, captured page HTML and screenshots during scan execution, scan logs. | Germany | Within the EEA — no Article 44 transfer |
| StripeStripe Payments Europe, Ltd. | Processing payments for paid audits and monthly monitoring retainers. | Customer name, email, billing address, payment method token (card details never stored by AccessiProof), transaction history. | Ireland (primary) / United States | EU Standard Contractual Clauses; Stripe acts as an independent controller for fraud prevention under PSD2 |
| ResendResend, Inc. | Transactional email delivery (scan completion notifications, report links, billing emails). | Recipient email address, email subject and body (which may contain a scan URL, customer name, and a tokenised report link). | United States | EU Standard Contractual Clauses |
| AnthropicAnthropic PBC | Claude API used internally to accelerate report production (executive summaries, remediation phrasing, business-impact narratives). AccessiProof does not use AI to generate customer-facing compliance determinations. | Aggregated, de-identified scan findings (issue types, counts, selectors, HTML snippets stripped of user-identifying content). No end-user personal data or customer account data is sent to Anthropic. | United States | EU Standard Contractual Clauses (Module 2, C2P) |
Affiliates
Each sub-processor above may use its own corporate affiliates to deliver the service (for example, Stripe Payments Europe, Ltd. relies on Stripe, Inc. for its technical platform). Those affiliates are treated as part of the same sub-processor entry and are subject to the same contractual terms.
Changes to this list
AccessiProof will give customers at least 30 days' prior notice by email before adding or replacing a sub-processor that handles customer personal data. During that notice period a customer may object in writing on reasonable data-protection grounds. If the objection cannot be resolved, the customer may terminate the affected service for the unused portion of the billing period.
To subscribe to sub-processor change notifications, email office@accessiproof.com with the subject line "subprocessor updates".
Related documents
- Data Processing Addendum — the contractual terms that govern our role as processor.
- Privacy Policy — how we handle personal data as controller.
- Imprint — legal entity disclosure under EU Directive 2000/31/EC Art. 5 and Romanian Law 365/2002.